type code roll draft comments
Edward Lewis <edlewis@arin.net> Wed, 18 June 2003 14:47 UTC
From: Edward Lewis <edlewis@arin.net>
Subject: type code roll draft comments
Date: Wed, 18 Jun 2003 10:47:56 -0400
Lines: 106
Sender: owner-namedroppers@ops.ietf.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: edlewis@arin.net
X-From: owner-namedroppers@ops.ietf.org Wed Jun 18 17:03:11 2003
Return-path: <owner-namedroppers@ops.ietf.org>
X-Sender: edlewis@127.0.0.1
To: namedroppers@ops.ietf.org
Precedence: bulk
X-Message-ID:
Message-ID: <20140418071731.2560.95652.ARCHIVE@ietfa.amsl.com>
# Legacy Resolver Compatibility for Delegation Signer # draft-ietf-dnsext-dnssec-2535typecode-change-02.txt # # Abstract # # As the DNS Security (DNSSEC) specifications have evolved, the # syntax and semantics of the DNSSEC resource records (RRs) have # changed. Many deployed nameservers understand variants of these # semantics. Dangerous interactions can occur when a resolver that # understands an earlier version of these semantics queries an # authoritative server that understands the new delegation signer # semantics, including at least one failure scenario that will cause # an unsecured zone to be unresolvable. This document proposes that # these interactions be avoided by changing the type codes and # mnemonics of the DNSSEC RRs (SIG, KEY, and NXT). One thorny issue is that it is not just name servers that understand some variants, but that some DHCP servers do also, and this is why SIG(0) has become an annoying issue. (Yes, I'm being a PITA about documenting the rationale again.) # 1. Introduction # # incompatible with the semantics in [RFC2535]. Answers provided by A nit: For consistency (see also text in 1.2), refer to RFC 2535 as "RFC 2535", with the reference ("[RFC2535]") appearing just once. I'd recommend this for other RFC's too. # 1.1 Terminology # # In this document, the term "unsecure delegation" means any # delegation for which no DS record appears at the parent. An # "unsecure referral" is an answer from the parent containing an NS # RRset and a proof that no DS record exists for that name. And you are referring (heh) to "NS referrals" and not "CNAME referrals". # 1.2 The Problem The "trigger" or last straw prompting this. There are many decent reasons to change the protocol parameters when a standard recycles at a certain level, especially Proposed, but there is one problem in particular that launched this effort. I would also add the observation that in RFC 2308 (NCACHE), looking at "NODATA REPSONSE: TYPE 1." and then considering that in the olden days an NXT was thought to be an SOA-replacement in negative answers, it seems as if the presence of the no-DS record is indicating a negative answer, not a positive answer indicating an "end of security." # 2.1. Change SIG, KEY, and NXT type codes # # include NXT records in the authority section. The simplest way to # do that is to change the type codes for SIG, KEY, and NXT. Well, "simplest" would be to just change NXT as you mention in 2.2. Changing all three would be conceptually nicer, especially given that blindly changing SIG and KEY leaves us in a hung state with SIG(0) (as non-DNS elements are already experimenting with it). # 2.5. Do nothing # # and, due to underspecification in those documents, interpret any s/s/ s/ # 3. Protocol changes # # If a resolver receives the old types, it SHOULD treat them as You mean KEY and NXT.?. # Authoritative servers SHOULD NOT serve SIG, KEY, or NXT records. Authoritative servers ought not edit the zones they have loaded. Are you saying that the server ought to refuse to load zones with these and ought to refuse updates that attempt to add these records? I'm confused. If a SIG(0) is seen and a DNSKEY isn't allowed to have generated it, where does the public key come from to validate the SIG(0) at the end of the message? # 4. IANA Considerations # Types 24 (SIG) is retained for SIG(0) [RFC2931] use only. Types 25 # and 30 (KEY and NXT) should be marked as Obsolete. I can see NXT being obsoleted. But I am not clear from the text whey the KEY is also. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-703-227-9854 ARIN Research Engineer ...as graceful as a blindfolded bull in a china shop... -- to unsubscribe send a message to namedroppers-request@ops.ietf.org with the word 'unsubscribe' in a single line as the message text body. archive: <http://ops.ietf.org/lists/namedroppers/>
- type code roll draft comments Edward Lewis